Change Details

Description: IPsec service failed to restart when this `set vpn ipsec site-to-site peer 33.115.65.120 tunnel 1 protocol 'all'` exists in the configuration prior to 1.3.8 version and then upgraded to 1.4.2 version. VyOS 1.3.8(strongSwan 5.7.2) uses ipsec.conf and it used to convert "all" to "%any" . Also `all` option was available in cli: ``` vyos@vyos# set vpn ipsec site-to-site peer 33.115.65.120 tunnel 10 protocol Possible completions: <text> IP protocol name from /etc/protocols (e.g. "gre" or "tcp") <0-255> IP protocol number ah all ``` ipsec.conf snippet: ``` conn peer-33.115.65.120-tunnel-1 left=192.168.255.106 right=33.115.65.120 leftsubnet=10.2.2.0/24 rightsubnet=10.50.0.0/24[%any/%any] leftsubnet=10.2.2.0/24[%any/%any] ike=aes256gcm128-sha256-ecp256! keyexchange=ikev2 reauth=no ikelifetime=36000s ``` Post upgrade to 1.4 version, the command converts to `set vpn ipsec site-to-site peer peer_33-115-65-120 tunnel 1 protocol 'all' without any migration issue but the strongswan service fails to start with the following error message: ``` Jun 25 12:01:54 swanctl[3833]: loading connection 'peer_33-115-65-120' failed: invalid value for: local_ts, config discarded Jun 25 12:01:54 systemd[1]: strongswan.service: Failed with result 'exit-code'. Jun 25 12:01:54 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. ``` strongSwan 5.9.11 version is not accepting the syntax 10.2.2.0/24[all/], only specific protocol has to be defined like : `set vpn ipsec site-to-site peer peer_34-116-67-120 tunnel 1 protocol tcp` ``` children { peer_34-116-67-120-tunnel-1 { esp_proposals = aes256gcm128-sha256-ecp256 life_time = 10800s local_ts = 10.2.2.0/24[all/] remote_ts = 10.50.0.0/24[all/] ``` If directly tried the command in 1.4.2, service fails with commit then recovers in seconds but peer configuration is not seen in loaded connection, verified with 'swanctl -L` command ``` vyos@vyos# commit [ vpn ipsec ] Job for strongswan.service failed. See "systemctl status strongswan.service" and "journalctl -xeu strongswan.service" for details. ``` Attached configuration to test in 1.4.2.{F15391543}

Description: IPsec service failed to restart when this `set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 protocol 'all'` exists in the configuration prior to 1.3.8 version and then upgraded to 1.4.2 version. VyOS 1.3.8(strongSwan 5.7.2) uses ipsec.conf and it used to convert "all" to "%any" . Also `all` option was available in cli: ``` vyos@vyos# set vpn ipsec site-to-site peer 192.0.2.1 tunnel 10 protocol Possible completions: <text> IP protocol name from /etc/protocols (e.g. "gre" or "tcp") <0-255> IP protocol number ah all ``` ipsec.conf snippet: ``` conn peer-192.0.2.1-tunnel-1 left=192.168.255.106 right=192.0.2.1 leftsubnet=10.2.2.0/24 rightsubnet=10.50.0.0/24[%any/%any] leftsubnet=10.2.2.0/24[%any/%any] ike=aes256gcm128-sha256-ecp256! keyexchange=ikev2 reauth=no ikelifetime=36000s ``` Post upgrade to 1.4 version, the command converts to `set vpn ipsec site-to-site peer peer_192-0-2-1 tunnel 1 protocol 'all' without any migration issue but the strongswan service fails to start with the following error message: ``` Jun 25 12:01:54 swanctl[3833]: loading connection 'peer_192-0-2-1' failed: invalid value for: local_ts, config discarded Jun 25 12:01:54 systemd[1]: strongswan.service: Failed with result 'exit-code'. Jun 25 12:01:54 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. ``` strongSwan 5.9.11 version is not accepting the syntax 10.2.2.0/24[all/], only specific protocol has to be defined like : `set vpn ipsec site-to-site peer peer_192-0-2-1 tunnel 1 protocol tcp` ``` children { peer_192-0-2-1-tunnel-1 { esp_proposals = aes256gcm128-sha256-ecp256 life_time = 10800s local_ts = 10.2.2.0/24[all/] remote_ts = 10.50.0.0/24[all/] ``` If directly tried the command in 1.4.2, service fails with commit then recovers in seconds but peer configuration is not seen in loaded connection, verified with 'swanctl -L` command ``` vyos@vyos# commit [ vpn ipsec ] Job for strongswan.service failed. See "systemctl status strongswan.service" and "journalctl -xeu strongswan.service" for details. ``` Attached configuration to test in 1.4.2.{F15391543}

Description: IPsec service failed to restart when this `set vpn ipsec site-to-site peer 33.115.65.120192.0.2.1 tunnel 1 protocol 'all'` exists in the configuration prior to 1.3.8 version and then upgraded to 1.4.2 version. VyOS 1.3.8(strongSwan 5.7.2) uses ipsec.conf and it used to convert "all" to "%any" . Also `all` option was available in cli: ``` vyos@vyos# set vpn ipsec site-to-site peer 33.115.65.120192.0.2.1 tunnel 10 protocol Possible completions: <text> IP protocol name from /etc/protocols (e.g. "gre" or "tcp") <0-255> IP protocol number ah all ``` ipsec.conf snippet: ``` conn peer-33.115.65.120192.0.2.1-tunnel-1 left=192.168.255.106 right=33.115.65.120192.0.2.1 leftsubnet=10.2.2.0/24 rightsubnet=10.50.0.0/24[%any/%any] leftsubnet=10.2.2.0/24[%any/%any] ike=aes256gcm128-sha256-ecp256! keyexchange=ikev2 reauth=no ikelifetime=36000s ``` Post upgrade to 1.4 version, the command converts to `set vpn ipsec site-to-site peer peer_33-115-65-120192-0-2-1 tunnel 1 protocol 'all' without any migration issue but the strongswan service fails to start with the following error message: ``` Jun 25 12:01:54 swanctl[3833]: loading connection 'peer_33-115-65-120'192-0-2-1' failed: invalid value for: local_ts, config discarded Jun 25 12:01:54 systemd[1]: strongswan.service: Failed with result 'exit-code'. Jun 25 12:01:54 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. ``` strongSwan 5.9.11 version is not accepting the syntax 10.2.2.0/24[all/], only specific protocol has to be defined like : `set vpn ipsec site-to-site peer peer_34-116-67-120192-0-2-1 tunnel 1 protocol tcp` ``` children { peer_34-116-67-120192-0-2-1-tunnel-1 { esp_proposals = aes256gcm128-sha256-ecp256 life_time = 10800s local_ts = 10.2.2.0/24[all/] remote_ts = 10.50.0.0/24[all/] ``` If directly tried the command in 1.4.2, service fails with commit then recovers in seconds but peer configuration is not seen in loaded connection, verified with 'swanctl -L` command ``` vyos@vyos# commit [ vpn ipsec ] Job for strongswan.service failed. See "systemctl status strongswan.service" and "journalctl -xeu strongswan.service" for details. ``` Attached configuration to test in 1.4.2.{F15391543}